package org.redhat.auth.security.util;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Map;

import org.redhat.auth.security.core.AuthFilterSecurityInterceptor;
import org.springframework.context.ApplicationContext;
import org.springframework.context.support.ClassPathXmlApplicationContext;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator;

/**
 * 权限封装类
 * 
 * @author lingen.liu
 * 
 */
public class AuthAuthorizeUtil {

	/* spring 进行权限判断的核心类 */
	private static DefaultWebInvocationPrivilegeEvaluator webInovke;

	/* 自己构建一个基于数据库权限的webInvoke */
	private static DefaultWebInvocationPrivilegeEvaluator dataWebInovke;

	/* 自己实现的验证过滤器，将其注入给 dataWebInovke */
	private static AuthFilterSecurityInterceptor authFilter;

	static {
		ApplicationContext ctx = new ClassPathXmlApplicationContext(
				"spring/security-context.xml");
		webInovke = ctx.getBean(DefaultWebInvocationPrivilegeEvaluator.class);
		authFilter = ctx.getBean(AuthFilterSecurityInterceptor.class);
		// 构造一个基于数据库的验证invoke
		dataWebInovke = new DefaultWebInvocationPrivilegeEvaluator(authFilter);
	}

	/**
	 * 传入一个URL地址，判断当前登录用户是否有访问此URL的权限
	 * 
	 * 验证规则：验证必须同时验证xml中的配置及数据库中的配置
	 * 
	 * @param url
	 * @return
	 */
	public static boolean hasAuthorize(String url) {
		Authentication authentication = SecurityContextHolder.getContext()
				.getAuthentication();
		/* 检测是否能通过xml配置的权限 */
		boolean xmlAuthorize = webInovke.isAllowed(url, authentication);

		/* 检测是否能通过数据库配置的权限 */
		boolean dataAuthorize = dataWebInovke.isAllowed(url, authentication);

		/* 只有同时通过xml配置及数据库配置的权限控制，才返回true */
		if (xmlAuthorize && dataAuthorize)
			return true;
		return false;
	}

	/**
	 * 传入URL访问数组，当前登录用户若是拥有全部访问权限，返回true,否则返回false
	 * 
	 * @param urls
	 * @return
	 */
	public static boolean hasAllAuthorize(String[] urls) {
		for (String url : urls) {
			if (!hasAuthorize(url))
				return false;
		}
		return true;
	}

	/**
	 * 传入URL访问数组，当前登录用户只要拥有其中一个URL的访问权限，返回true,否则返回false
	 * 
	 * @param urls
	 * @return
	 */
	public static boolean hasAnyAuthorize(String[] urls) {
		for (String url : urls) {
			if (hasAuthorize(url))
				return true;
		}
		return false;
	}

	/**
	 * 传入一个角色，判断当前登录用户是否拥有此角色
	 * 
	 * @param role
	 * @return
	 */
	public static boolean hasRole(String role) {
		ArrayList<String> roles = AuthUserUtil.getRoles();
		if (roles.contains(role)) {
			return true;
		}
		return false;
	}

	/**
	 * 传入一角色数组，判断当前用户是否全部拥有这些角色，若拥有，返回true,否则,返回false
	 * 
	 * @param roles
	 * @return
	 */
	public static boolean hasAllRoles(String[] roles) {
		ArrayList<String> userRoles = AuthUserUtil.getRoles();
		for (String role : roles) {
			if (!userRoles.contains(role))
				return false;
		}
		return true;
	}

	/**
	 * 传入一角色数组，判断当前用户是否拥有任意其中一个角色，若拥有，返回true,否则返回false
	 * 
	 * @param roles
	 * @return
	 */
	public static boolean hasAnyRoles(String[] roles) {
		ArrayList<String> userRoles = AuthUserUtil.getRoles();
		for (String role : roles) {
			if (userRoles.contains(role))
				return true;
		}
		return false;
	}

}
